Prevent direct access PHP

Question

I have 2 script. That's :

registration.html
process_registration.php

Sometimes someone open the link direct into process_registration.php, so how can I prevent that ?

Process_registration.php function is to save the data get from input from registration.html.

Any idea ?

Possible dublicate: http://stackoverflow.com/questions/1101895/how-to-stop-direct-execution-of-a-php-page-using-htaccess-rules — Peon, Sep 25 '12 at 06:58

score 4 · Accepted Answer · edited May 23 '17 at 12:30

4

You can use :

if (!isset($_POST['field'])) {
  die();
}

at the top of your process_registration.php file.

Of course, replace field by one of your existing fields in your form.

If you're against flooders that does register several accounts using scripts, you may use a captcha field on your registration form, or use protections against crawling.

edited May 23 '17 at 12:30

Community

1
1

answered Sep 25 '12 at 06:51

Alain Tiemblo

36,099
17
121
153

$_POST can be sent also with php curl so I don't think that this is the most efficient solution.. For better security I think you can verify also the referer – Mihai Matei Sep 25 '12 at 06:58
Referer can also be set by cURL – Alain Tiemblo Sep 25 '12 at 07:00
Everything a browser can send, can be emulated. So if you need real protection, you will need a more complex solution. Like generating one time passwords (hashes). – Johni Sep 25 '12 at 10:22

score 3 · Answer 2 · answered Sep 25 '12 at 06:54

Just another method:

if (empty($_POST)) {
  exit("Direct access not allowed");
}

Just more flexible with the object names. For extra security, you should put this in your form:

<input type="hidden" value="9957374" name="hiddenvalidate" />

and in your script:

if (!isset($_POST['hiddenvalidate']) || $_POST['hiddenvalidate'] != 9957374) {
  exit("Direct access not allowed");
}

score 1 · Answer 3 · answered Sep 25 '12 at 06:52

1

You can check if the current request is a POST type (if you use a form)

if($_SERVER['REQUEST_METHOD'] == 'POST')

and you can also check if all required variables are set.

answered Sep 25 '12 at 06:52

Johni

2,933
4
28
47

score 1 · Answer 4 · answered Sep 25 '12 at 06:55

1

You can use $_POST array in process_registration.php for this like :

if(!isset($_POST['yourvariable'])){
//Redirect to registration page
}

You can also use PHP Session for it. If session is not set then redirect user to registration page.

answered Sep 25 '12 at 06:55

J.K.A.

7,272
25
94
163

score 1 · Answer 5 · answered Sep 25 '12 at 06:56

I like the way Joomla handles this issue.

On every php page in Joomla, you will see the following code:

// No direct access
defined('_JEXEC') or die; // it's a config setting

Only the top-level pages have this variable included in them. All other files, if opened directly, close, thereby preventing any accidental misuse/data loss.

Prevent direct access PHP

5 Answers5